Ruleset Update Summary - 2023/07/18 - v10374

Summary:

32 new OPEN, 100 new PRO (32 + 68)

Thanks @zscaler, @_JohnHammond


Added rules:

Open:

  • 2046829 - ET WEB_SPECIFIC_APPS Zimbra XSS via momoveto (web_specific_apps.rules)
  • 2046830 - ET MALWARE IcedID CnC Domain in DNS Lookup (skofilldrom .com) (malware.rules)
  • 2046831 - ET MALWARE IcedID CnC Domain in DNS Lookup (anscowerbrut .com) (malware.rules)
  • 2046832 - ET MALWARE IcedID CnC Domain in DNS Lookup (wiraofise .com) (malware.rules)
  • 2046833 - ET MALWARE IcedID CnC Domain in DNS Lookup (illboardinj .com) (malware.rules)
  • 2046834 - ET MALWARE IcedID CnC Domain in DNS Lookup (hloyagorepa .com) (malware.rules)
  • 2046835 - ET MALWARE IcedID CnC Domain in DNS Lookup (newwildtuna .top) (malware.rules)
  • 2046836 - ET MALWARE IcedID CnC Domain in DNS Lookup (appkasnofert .com) (malware.rules)
  • 2046837 - ET MALWARE IcedID CnC Domain in DNS Lookup (firestansinbox .com) (malware.rules)
  • 2046838 - ET MALWARE IcedID CnC Domain in DNS Lookup (fishofgloster .pw) (malware.rules)
  • 2046839 - ET MALWARE Observed Glupteba CnC Domain (robloxcdneu .net in TLS SNI) (malware.rules)
  • 2046840 - ET INFO DYNAMIC_DNS Query to a *.rootsbobcat .com Domain (info.rules)
  • 2046841 - ET INFO DYNAMIC_DNS HTTP Request to a *.rootsbobcat .com Domain (info.rules)
  • 2046842 - ET INFO DYNAMIC_DNS Query to a *.lawsonengineers .co .uk Domain (info.rules)
  • 2046843 - ET INFO DYNAMIC_DNS HTTP Request to a *.lawsonengineers .co .uk Domain (info.rules)
  • 2046844 - ET INFO DYNAMIC_DNS Query to a *.grid-tronics .com Domain (info.rules)
  • 2046845 - ET INFO DYNAMIC_DNS HTTP Request to a *.grid-tronics .com Domain (info.rules)
  • 2046846 - ET INFO DYNAMIC_DNS Query to a *.tanenbaumchat .org Domain (info.rules)
  • 2046847 - ET INFO DYNAMIC_DNS HTTP Request to a *.tanenbaumchat .org Domain (info.rules)
  • 2046848 - ET INFO DYNAMIC_DNS Query to a *.away .im Domain (info.rules)
  • 2046849 - ET INFO DYNAMIC_DNS HTTP Request to a *.away .im Domain (info.rules)
  • 2046850 - ET INFO DYNAMIC_DNS Query to a *.takony .hu Domain (info.rules)
  • 2046851 - ET INFO DYNAMIC_DNS HTTP Request to a *.takony .hu Domain (info.rules)
  • 2046852 - ET INFO DYNAMIC_DNS Query to a *.adamhayward .co .uk Domain (info.rules)
  • 2046853 - ET INFO DYNAMIC_DNS HTTP Request to a *.adamhayward .co .uk Domain (info.rules)
  • 2046854 - ET INFO DYNAMIC_DNS Query to a *.friendship .tw Domain (info.rules)
  • 2046855 - ET INFO DYNAMIC_DNS HTTP Request to a *.friendship .tw Domain (info.rules)
  • 2046856 - ET MALWARE Golang/Bandit Stealer Telegram Exfil Activity (POST) (malware.rules)
  • 2046857 - ET PHISHING Vietnamese Govt Credential Phish M1 2023-07-18 (phishing.rules)
  • 2046858 - ET PHISHING Vietnamese Govt Credential Phish M2 2023-07-18 (phishing.rules)
  • 2046859 - ET PHISHING Vietnamese Govt Credential Phish M3 2023-07-18 (phishing.rules)
  • 2046860 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (slurpslimes .org) (exploit_kit.rules)

Pro:

  • 2854841 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854842 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854843 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854844 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854845 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854846 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854847 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854848 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854849 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854850 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854851 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854852 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854853 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854854 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854855 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854856 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854857 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854858 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854859 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854860 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854861 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854862 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854863 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854864 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854865 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854866 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854867 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854868 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854869 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854870 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854871 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854872 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854873 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854874 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854875 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854876 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854877 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854878 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854879 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854880 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854881 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854882 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854883 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854884 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854885 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854886 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854887 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854888 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854889 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854890 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854891 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854892 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854893 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2854894 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854895 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2854896 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2854897 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2854898 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2854899 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2854900 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2854901 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2854902 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2854903 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854904 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2854905 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2854906 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2854907 - ETPRO MALWARE PS1/Unknown Stealer CnC Activity (POST) (2023-07-18) M1 (malware.rules)
  • 2854908 - ETPRO MALWARE PS1/Unknown Stealer CnC Activity (POST) (2023-07-18) M2 (malware.rules)

Disabled and modified rules:

  • 2045042 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (barakapi .ru) (malware.rules)
  • 2045043 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (badrupi .ru) (malware.rules)
  • 2045044 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (ahmozpi .ru) (malware.rules)
  • 2045045 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (bakaripi .ru) (malware.rules)
  • 2045048 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (akenatonbo .ru) (malware.rules)
  • 2045049 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (asheypi .ru) (malware.rules)
  • 2045050 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (atonpi .ru) (malware.rules)
  • 2045051 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (anumbo .ru) (malware.rules)
  • 2045052 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (aktaypo .ru) (malware.rules)
  • 2045053 - ET MALWARE Gamaredon APT Related Domain in DNS Lookup (amonbo .ru) (malware.rules)